Manage application policies

This topic describes how administrators can view and manage application security policies.

Overview

The Secure Web Sessions portal displays all the SSO applications that you can apply policies to. For each application, you can apply specific protections and security layers. For CyberArk Identity applications, you can also apply security layers either by group membership, or to individual users.

You can apply 4 types of security layers:

Security layer	Description
Step Recording	Monitors and records all user actions and events and use of the application. The recording is not a video, but a step-by-step log with screenshots, and is fully searchable. User events are captured locally in the browser via the Secure Web Sessions browser extension. For more information, see What is Step Recording?
Session Protection	Protect the users web session in the browser, and the specific tab. This protects high-risk web sessions from malicious processes originating on the endpoint. The following protections can be applied: Block file downloads, context menu and clipboard actions Enforce EPM protection For more information, see What is Session Protection?
Continuous Authentication	Validates and verifies the user throughout their web session, based on certain conditions. For more information, see What is Continuous Authentication?
Session Control	Implement controls and/or sends notifications based on rules that define specific user actions. For more information, see What is Session Control?

Set security layers for application members

Use this procedure to set the security layers for members of an application.

Applies to CyberArk Identity SSO applications only.

1. From the Secure Web Sessions portal, go the Application policies page, and select a CyberArk Identity application.

2. To change the security layers for all members of the application:

   1. In the table heading, select the security layer/s you want applied to all members.

      

   2. In the pop-up message, click Add.

3. To change the security layers for individual users or groups:

   1. Click the Edit button in the row of the group or user.

      

   2. Select the security layers you want to apply, and click Save.

Edit security layers per application

1. From the Secure Web Sessions portal, go the Application policies page and select an application.

2. Click the Edit button. In the pop-up message, select the security layers you want to apply for this application, and click Save.

Define security layer configurations per application policy

From the Secure Web Sessions portal, go the Application policies page, select an application, and click the Configuration tab.

Details	Description
Identity app key	The application key received from CyberArk Identity.
Step recording	Dynamic URLs - When the toggle is set to ON, recordings are triggered based on the root URLs of the configured app. For example, for AWS dynamic URLs, some of the URLs that would be included are aws.com/users and aws.com/services. Manual mode - When enabled, Secure Web Sessions starts monitoring from the domains or specific application pages (URL's) you enter. (Wildcards * are supported). Cloud console applications (e.g. Azure, AWS) are tracked using both the URL and the username. This improves targeting and policy enforcement between parallel cloud console sessions using different accounts. Automatic/Manual excluded domains - Add application domains or specific application pages (URLs) that you want to exclude from being recorded. This list is applicable whether you select Automatic or Manual mode. login.cyberark.com https://eu123.cyberark.com/WildCardUsageHere?* https://eu123.cyberark.com/ThisPage If an exclude list is added in Settings > Security layers, this list applies to all application policies in this tenant. The tenant level exclude list overrides the app specific exclude list.
Session protection	Set the level of session protection you want applied to application sessions: Block file downloads, context menu and clipboard actions - Blocks the following actions in an application session: Cut/copy text from a protected session Paste text to a protected session Drag and drop action on text in a protected session File downloads, including drag and drop of files from a protected session to a local repository Open the context menu in a protected session This option is enabled by default. Enforce EPM protection - Enforces EPM protections in an application session. To enforce EPM protection for a specific application, you need to first configure and enable integration from Settings > Security layers. For more information, see Configure Session Protection and EPM integration .
Continuous authentication	Apply the Enforce pedometer lock to lock a sensitive web session when the end user has taken the maximum configured number of footsteps. This is to monitor if a session might have been left unattended. When the maximum number of steps is reached, the end user is required to re-authenticate to their session with a QR code using the CyberArk Mobile app. This feature is enabled in Settings > Security layers.

Set default security layers for new application members

Use this procedure to set the default security layers that will be applied to new members of an application.

Applies to CyberArk Identity SSO applications only.

New applications enabled for SWS have step recording enabled by default.

1. From the Secure Web Sessions portal, go the Application policies page, and select an application.

2. From the Members table, go to the Default security layers for new members row, and click Edit from the quick menu.

3. In the pop-up message, select the security layers you want to apply, and click Save default.

   The saved default security layers will be applied to all new members added for this application.

Change member security layers

1. Go to the Application policies page, and select an application.

2. From the Members tab, click on the row of a member to view its details.

3. From the Security layers tab, enable or disable the security layers for this member.

Assign Session Control rules to a member

1. Go to the Application policies page, and select an application.

2. From the Members tab, click the row of a member to view its details.

3. Select the Session Control rules tab.

   The list shows the currently assigned rules.

4. To assign rules to this member, do one of the following:

   • Click Select all

   • Select specific rules and click Assign rules

5. Click Save.

Manage Session Control rules

1. Go to the Application policies page, and select an application.

2. From the Members tab, click the row of a member to view its details.

3. Select the Session Control rules tab.

4. Hover over the row of a rule to delete, edit, or view the session recordings where this rule appears.

   You can click View steps to view the specific steps in the timeline where the rule was triggered.

   When you click on a specific rule, you can also view the recent user actions that triggered the rule, and the list of members assigned to the rule.

Deactivate application policies

When new applications are configured with SWS, by default they are in active mode. This means that SWS security layers are applied when users access the application.

You can deactivate application policies so that users are no longer routed through SWS security layers. Deactivating application policies does not delete any configurations, and can be activated again at any time.

1. From the Secure Web Sessions portal, go the Application policies page, and select an application.

2. Change the toggle from Active to Inactive.

Delete application policies

Step recording limitations

• Keyboard shortcut user action doesn't trigger a recorded step.

• Drag-and-drop isn't recorded as a user action.

• Web applications based on WebGL might not capture all user actions when using step recording. Some of Microsoft Office applications use this technology. Therefore, while recordings of Office 365 web apps include the name and type of files, users actions done inside the file won't be captured.